css-flexbox: fixes for -webkit-box using LayoutFlexibleBox

This addresses two problems that triggered CHECKs/use-after-free: LayoutBlock, for -webkit-box, needs to add children to anonymous blocks in some cases. LayoutFlexibleBox should not merge anonymous flex items for -webkit-box. BUG=1010706 TEST=none Change-Id: Ic8cb22f4f031813c1e1447bc23f4bfb930b3caec Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1838754 Commit-Queue: Scott Violet <sky@chromium.org> Reviewed-by: Christian Biesinger <cbiesinger@chromium.org> Reviewed-by: Ian Kilpatrick <ikilpatrick@chromium.org> Cr-Commit-Position: refs/heads/master@{#703115}

css-flexbox: fixes for -webkit-box using LayoutFlexibleBox
This addresses two problems that triggered CHECKs/use-after-free: LayoutBlock, for -webkit-box, needs to add children to anonymous blocks in some cases. LayoutFlexibleBox should not merge anonymous flex items for -webkit-box. BUG=1010706 TEST=none Change-Id: Ic8cb22f4f031813c1e1447bc23f4bfb930b3caec Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1838754 Commit-Queue: Scott Violet <sky@chromium.org> Reviewed-by: Christian Biesinger <cbiesinger@chromium.org> Reviewed-by: Ian Kilpatrick <ikilpatrick@chromium.org> Cr-Commit-Position: refs/heads/master@{#703115}
f55cd2cd · Scott Violet · Commit Bot · d611deb6 · f55cd2cd · f55cd2cd
Commit f55cd2cd authored Oct 05, 2019 by Scott Violet Committed by Commit Bot Oct 05, 2019
5 changed files
--- a/third_party/blink/renderer/core/layout/layout_block.cc
+++ b/third_party/blink/renderer/core/layout/layout_block.cc
@@ -308,7 +308,8 @@ void LayoutBlock::AddChildBeforeDescendant(LayoutObject* new_child,
    // Insert the child into the anonymous block box instead of here.
    if (new_child->IsInline() ||
        (new_child->IsFloatingOrOutOfFlowPositioned() &&
-         !IsFlexibleBoxIncludingNG() && !IsLayoutGrid()) ||
+         (StyleRef().IsDeprecatedFlexboxUsingFlexLayout() ||
+          (!IsFlexibleBoxIncludingNG() && !IsLayoutGrid()))) ||
        before_descendant->Parent()->SlowFirstChild() != before_descendant) {
      before_descendant_container->AddChild(new_child, before_descendant);
    } else {
@@ -350,7 +351,8 @@ void LayoutBlock::AddChild(LayoutObject* new_child,

  if (new_child->IsInline() ||
      (new_child->IsFloatingOrOutOfFlowPositioned() &&
-       !IsFlexibleBoxIncludingNG() && !IsLayoutGrid())) {
+       (StyleRef().IsDeprecatedFlexboxUsingFlexLayout() ||
+        (!IsFlexibleBoxIncludingNG() && !IsLayoutGrid())))) {
    // If we're inserting an inline child but all of our children are blocks,
    // then we have to make sure it is put into an anomyous block box. We try to
    // use an existing anonymous box if possible, otherwise a new one is created

--- a/third_party/blink/renderer/core/layout/layout_flexible_box.cc
+++ b/third_party/blink/renderer/core/layout/layout_flexible_box.cc
@@ -46,6 +46,7 @@
 #include "third_party/blink/renderer/core/style/computed_style.h"
 #include "third_party/blink/renderer/platform/geometry/length_functions.h"
 #include "third_party/blink/renderer/platform/instrumentation/use_counter.h"
+#include "third_party/blink/renderer/platform/runtime_enabled_features.h"
 #include "third_party/blink/renderer/platform/wtf/math_extras.h"

 namespace blink {
@@ -273,8 +274,10 @@ void LayoutFlexibleBox::MergeAnonymousFlexItems(LayoutObject* remove_child) {
 }

 void LayoutFlexibleBox::RemoveChild(LayoutObject* child) {
-  if (!DocumentBeingDestroyed())
+  if (!DocumentBeingDestroyed() &&
+      !StyleRef().IsDeprecatedFlexboxUsingFlexLayout()) {
    MergeAnonymousFlexItems(child);
+  }

  LayoutBlock::RemoveChild(child);
  intrinsic_size_along_main_axis_.erase(child);

--- a/third_party/blink/renderer/core/layout/layout_object.cc
+++ b/third_party/blink/renderer/core/layout/layout_object.cc
@@ -255,11 +255,8 @@ LayoutObject* LayoutObject::CreateObject(Element* element,
      return LayoutObjectFactory::CreateTableCaption(*element, style, legacy);
    case EDisplay::kWebkitBox:
    case EDisplay::kWebkitInlineBox:
-      if (RuntimeEnabledFeatures::WebkitBoxLayoutUsesFlexLayoutEnabled() &&
-          (!style.HasLineClamp() ||
-           style.BoxOrient() == EBoxOrient::kHorizontal)) {
+      if (style.IsDeprecatedFlexboxUsingFlexLayout())
        return new LayoutFlexibleBox(element);
-      }
      return new LayoutDeprecatedFlexibleBox(*element);
    case EDisplay::kFlex:
    case EDisplay::kInlineFlex:

--- a/third_party/blink/renderer/core/style/computed_style.h
+++ b/third_party/blink/renderer/core/style/computed_style.h
@@ -1203,6 +1203,11 @@ class ComputedStyle : public ComputedStyleBase,
    return Display() == EDisplay::kWebkitBox ||
           Display() == EDisplay::kWebkitInlineBox;
  }
+  bool IsDeprecatedFlexboxUsingFlexLayout() const {
+    return IsDeprecatedWebkitBox() &&
+           RuntimeEnabledFeatures::WebkitBoxLayoutUsesFlexLayoutEnabled() &&
+           (!HasLineClamp() || BoxOrient() == EBoxOrient::kHorizontal);
+  }

  // Variables.
  bool HasVariables() const;
@@ -2091,7 +2096,6 @@ class ComputedStyle : public ComputedStyleBase,
  bool IsDisplayFlexibleOrGridBox() const {
    return IsDisplayFlexibleBox(Display()) || IsDisplayGridBox(Display());
  }
-  bool IsDisplayFlexibleBox() const { return IsDisplayFlexibleBox(Display()); }
  bool IsDisplayLayoutCustomBox() const {
    return IsDisplayLayoutCustomBox(Display());
  }

--- a/third_party/blink/web_tests/external/wpt/compat/webkit-box-removing-triggering-anonymous-merge.html
+++ b/third_party/blink/web_tests/external/wpt/compat/webkit-box-removing-triggering-anonymous-merge.html
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div style="display: -webkit-box">
+  <span><div></div></span>
+  <div id="target"></div>
+  text
+</div>
+<script>
+// Force a layout before removing.
+document.body.offsetTop;
+document.getElementById('target').remove();
+done();
+</script>